The report to the President in accordance with Executive Order 13800, Supporting the Growth and Sustainment of the Nation's Cybersecurity Workforce, is subtitled, “Building the Foundation for a More Secure American Future,” recognizing the fundamental role played by the U.S. cybersecurity workforce. In their transmittal to the President, the Commerce and Homeland Security Secretaries noted that “in both the private and public sectors, cybersecurity practitioners and educators are vital to our national security—especially since other nations are paying greater attention to their cybersecurity workforce needs and the cybersecurity weaknesses of their adversaries.”
The report is based on analysis of available data and the information and views shared by businesses, educational organizations, training and certification providers, government agencies at multiple levels, and individuals. It also takes into account other assessments, including several called for by the President’s Executive Order 13800.
Findings and recommendations address both public and private sector needs. They were described as, “specific, forward thinking, and actionable” by the Commerce and Homeland Security Secretaries. Key findings and recommendations are noted below.
Key findings include:
- The United States needs immediate and sustained improvements in its cybersecurity workforce situation.
- Employers increasingly are concerned about the relevance of cybersecurity-related education programs in meeting the needs of their organizations.
- Expanding the pool of cybersecurity candidates by retraining those employed in non-cybersecurity fields and by increasing the participation of women, minorities, and veterans as well as students in primary through secondary school is needed and represents significant opportunities.
- There is an apparent shortage of knowledgeable and skilled cybersecurity teachers at the primary and secondary levels, faculty in higher education, and training instructors.
- Hiring considerations—including lengthy security clearance delays and onboarding processes—severely affect the sufficiency of the cybersecurity workforce.
- Comprehensive and reliable data about cybersecurity workforce position needs and education and training programs is lacking—even though the general context and urgency of the situation are obvious.
Key recommendations include:
- The Nation should set an ambitious vision and action plan-of-attack to “Prepare, grow, and sustain a national cybersecurity workforce that safeguards and promotes America’s national security and economic prosperity.”
- The federal government should lead in launching a high-profile national Call to Action to draw attention to and mobilize public and private sector resources to address cybersecurity workforce needs.
- The Administration should focus on, and recommend, long-term authorization and sufficient appropriations for, high-quality, effective cybersecurity education and workforce development programs in its budget proposals in order to grow and sustain the cybersecurity workforce.
- Federal departments and agencies must move quickly to address major needs relating to recruiting, developing, and retaining cybersecurity employees and continue to implement the Federal Cybersecurity Workforce Strategy and the Federal Cybersecurity Workforce Assessment Act of 2015 (FCWAA).
- The private and public sectors need to transform, elevate, and sustain the learning environment to grow a dynamic and diverse cybersecurity workforce by:
- Emphasizing and expanding opportunities for retraining so that current employees as well as displaced workers and veterans can be reskilled to take on cybersecurity roles.
- Building on and strengthening hands-on, experiential and work-based learning approaches—including apprenticeships, research experiences, co-op programs, and internships.
- Using virtual training and assessment environments to augment the limited cadre of teachers and other educators and trainers and to improve assessment tools that match candidates with the skills and knowledge needed to succeed in the workforce and as lifelong learners.
- Expanding the availability and expertise of teachers and faculty through incentives and policy changes.
- Providing greater financial assistance and other incentives to reduce student debt or subsidize cybersecurity education and training costs.
- The private and public sectors need to align education and training with employers’ cybersecurity workforce needs, improve coordination, and prepare individuals for lifelong careers by:
- Encouraging educators, training providers, and employers to use the taxonomy and lexicon of the NICE Cybersecurity Workforce Framework as the reference for building workforce development strategies.
- Developing model career paths for cybersecurity-related positions that can be used in the private and public sectors.
- Developing interdisciplinary cybersecurity curriculum guidance that incorporates employers’ cybersecurity needs.
- Establishing at least one regional alliance or partnership for cybersecurity education and workforce in each state.
- Establishing a clearinghouse of information on cybersecurity workforce development education, training, and workforce development programs and initiatives.
- The private and public sectors need to establish and leverage measures that demonstrate the effectiveness and impact of cybersecurity workforce investments. This includes:
- Ensuring that all cybersecurity education and training programs have an associated set of robust metrics and evaluation mechanisms to track and determine success in terms of the quantity and quality of individuals educated, trained, and ready to fulfill cybersecurity tasks in the workplace.
- Identifying and using tools to assess aptitude and skills related to cybersecurity positions in the workforce.
Actions to address findings and recommendations:
The report proposes actions to implement each of these recommendations. A variety of the recommendations—including making greater use of the NICE Cybersecurity Workforce Framework along with other steps to address needs relating to recruiting, developing, and retaining cybersecurity employees and to implement the Federal Cybersecurity Workforce Strategy and the Federal Cybersecurity Workforce Assessment Act of 2015 (FCWAA)—are being pursued by multiple federal agencies under existing authorities as resources allow. Likewise, recognizing the urgency of the situation, private sector organizations continue to advance their cybersecurity workforce programs.